Microsoft considers patch for web threat

Microsoft is investigating a bug in Windows that allows hackers to use a web flaw to attack users.

The vulnerability stems from the way Windows resolves hostnames that do not include a fully qualified domain name (FQDN).

The Windows technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Customers whose domain name begins in a third-level or deeper domain, such as "contoso.co.us" are at risk.

The WPAD feature enables web clients to automatically detect proxy settings without user intervention. The WPAD feature adds the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it finds a WPAD server answering the domain name.

A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD).

Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured.

Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by the vulnerability either.

Microsoft goes on to list a number of other scenarios where users are not affected in an advisory.

Customers can also disable "Automatically Detect Settings" in Internet Explorer to avoid any risk.

Microsoft said it was considering issuing a security patch to fix the problem. The next round of monthly security patches from Redmond are due next Tuesday (11 December).

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.